wjl You should not be using a Pixel 3a anymore. It's a highly insecure end-of-life device not supported by GrapheneOS anymore. You shouldn't present it as if you're using official GrapheneOS anymore.

    cgro0550 Canvas fingerprinting has absolutely nothing to do with the display. It's based on the browser and GPU hardware/firmware/driver. It does not vary across the same device model running the same OS version. It's the same between GrapheneOS and the stock OS within the same browser and is the same across most Chromium-based browsers since they implement the canvas in the same way.

    Graph_Curious hi brave does nothing more than vanadium for privacy, it's the opposite: all grapheneos users have vanadium. if you were on Android you would have to use chome to be confidential and on iPhone you would have to use safari. however brave gives you a sense of privacy because it blocks ads. Keep vanadium and don't change anything in the settings if you want to be confidential

      Paflechien brave does nothing more than vanadium for privacy, it's the opposite: all grapheneos users have vanadium. if you were on Android you would have to use chome to be confidential and on iPhone you would have to use safari

      I disagree and think what you are talking about is anonymity, not privacy, and it is only true in case you don't give identifying data away in the first place. Using the Tor Browser and good OPSEC (like not changing Browser settings beyond setup or not logging in to any online accounts) could effectively make you disappear in a mass of identically looking users, but it's nothing that Vanadium, Brave, Chrome or Safari sets out to do. Vanadium is arguably the most secure browser out there by default, but not the most private or anonymous. Brave does block some ads by default, which in some cases increases privacy compared to Vanadium. Whether Braves anti-fingerprinting measures are really effective against modern tracking methods is also arguable. Personally I prefer Vanadium and DNS ad blocking via VPN, but different setups come with different advantages...

      Here's a month old post of mine that tries to explain the difference between security, privacy and anonymity:
      Security to me means protecting your data/assets against unauthorized access. Privacy means controlling the (meta)data you give away (and ideally giving away as little as possible). Anonymity would be the ability to hide in a mass and not be identifiable, even if some of your data can be seen. While all three can empower/enable each other, they are mostly independent.

      Edit: Added information

      Thank you for your reply GrapheneOS

      I know that the kernel and firmware updates from that Pixel3a were from last year August or so, and that it's not officially supported by GrapheneOS anymore - sorry in case it sounded wrong, never meant that.

      And although it's a bit off-topic in this thread (maybe we can start another one for this?), I'm a bit reluctant to send perfectly working hardware to the landfill, and the same will apply to my daughter's Pixel 4a 5G coming November or so. We both love the headphone jacks, so for her a 7a wouldn't be a good replacement. So what would be your advice for older hardware, without kernel and firmware support from companies like Qualcomm and Google? "Giving away" such hardware only puts the problems on others' shoulders...

        wjl [...] I'm a bit reluctant to send perfectly working hardware to the landfill [...]

        It's a very real issue. But these days so much of the device is software, including firmware, that the device can't be "perfectly working" if the software is vulnerable to remote exploit.

        To their credit, Google is trying to move the needle with longer support for their newer hardware. Interestingly, moving more parts of the device in-house is part of that - similar to Apple. Part of the problem with buying parts from a bevy of suppliers is that software for the device as a whole ends up at the mercy of all of those parties. Over time the landscape may improve. One thing that could help would be for a phone manufacturer targeting longevity (such as Fairphone) to sit down with the GrapheneOS team to get some solid security advice, and make changes accordingly.

        As a practical matter, once a device falls out of GrapheneOS support if you have low-security uses for it you might look at some other platforms such as DivestOS.

          de0u As a practical matter, once a device falls out of GrapheneOS support if you have low-security uses for it you might look at some other platforms such as DivestOS.

          That is very good advice I think - especially because the dev of DivestOS also recommends GrapheneOS for those who can easily afford new Pixel devices... thanks!

          I've always used hardened Brave with Proton VPN but since Proton Pass has been a cluster with Brave on Android I've been using hardened Firefox Nightly. Is it a better practice to use Vanadium with Proton Netshield enabled?

            NightSky that depends mostly on your threat model. On Android, Cromium based browsers are inherently more secure than Firefox based Browsers. I'll leave the details to the pros since my knowledge is far from ironclad here. You're okay with ProtonPass though, which is relatively new and untested (compared to for example Bitwarden or KeePassDX) and can be a security concern as well. So Firefox and ProtonPass could just be right for what you want to achieve. If you're looking for highest security, I assume Vanadium (plus KeePassDX) would be recommended here, compared to Brave or pretty much anything else.

            Let's not forget that this thread is about Brave and Vanadium, so for deeper comparisons to Firefox you might want to open a separate thread.

            3 months later
            • [deleted]

            • Edited

            matchboxbananasynergy The issue with Brave is it may give you a false sense of privacy.

            Hi, I understand your overall position but how can you say, like @Paflechien , that Brave only gives a "false sense of security" while it EFFECTIVELY passes, following privacytests.org,

            • all the state partitioning test
            • blocks all the tracking query parameter
            • Tracker content blocking tests
              ?

            I mean, this is no theories. Brave really does something !

            It really blocks Adobe
            Adobe Audience Manager
            Amazon adsystem
            AppNexus
            Bing Ads
            Chartbeat
            Criteo
            DoubleClick (Google)
            Facebook tracking
            Google (third-party ad pixel)
            Google Analytics
            Google Tag Manager
            Index Exchange
            New Relic
            Quantcast
            Scorecard Research Beacon
            Taboola
            Twitter pixel
            Yandex Ads
            !

              Icecube
              Sadly, using a DoH provider as your only adblocker won't be as effective as using Brave or Cromite.

                • [deleted]

                What I don't understand is why people are still asking questions about safety. Vanadium is installed natively, it's the most secure browser, it has no equivalent on android, you won't find better. All the others are inferior. If you want to block ads, you'd better change the DNS at system level, it's written on the website. After that, you can install whatever browser you want, but they'll only be less efficient.

                  • [deleted]

                  • Edited

                  [deleted]
                  What you do not understand is that people like me admit that YES Vanadium is more secure and that YES we know that blocking via DNS level is great for privacy, but not as effective as Brave. Just look at privacytests.org and compare to you own browser privacytests.org/me.html ...

                  Icecube
                  Its great that it's enough for you, but it's not enough for me sadly.

                  I'm using DuckDuckGo for the most part, it used WebView so most of the security should carry over. If you don't want to use a WebView browser there is always Cromite.

                  • [deleted]

                  [deleted] Refer to Daniel's response here

                  Also, Arthur (Who seems to be the main developer of privacytests.org) responded to thestinger's response here.